A system for model protection includes a processor. The processor is arranged to execute a guest virtual machine (VM), a primary VM, and a hypervisor. The guest VM includes a model, and is arranged to send at least one command to a command hub. The primary VM is arranged to refer to the at least one command sent from the command hub to manage and configure a protection setting for a protected model derived from the model. The hypervisor is arranged to receive a safety setting command sent by the primary VM, and manage and configure the safety protection component according to the safety setting command, to set a read-only mode of the protected model.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A system for artificial intelligence (AI) model protection, comprising: a processor, arranged to execute: a guest virtual machine (VM), wherein the guest VM comprises an AI model, and the guest VM is arranged to send at least one command to a command hub; a primary VM, wherein the primary VM is arranged to receive the at least one command sent from the command hub, and refer to the at least one command to manage and configure a protection setting for a protected AI model that is derived from the AI model; and a hypervisor, arranged to receive a safety setting command sent by the primary VM, and manage and configure a safety protection component according to the safety setting command, to set a read-only mode of the protected AI model; and a transmission interface, arranged to bind the primary VM to the hypervisor, and perform communications between the primary VM and the hypervisor.
2. The system of claim 1, wherein the processor is further arranged to execute the command hub that is a software module integrated in the hypervisor.
3. The system of claim 1, further comprising: the command hub; wherein the command hub is a hardware component external to the hypervisor executed on the processor.
4. The system of claim 1, wherein the AI model is injected to a kernel of an operating system running on the guest VM, and the protected AI model is derived from the AI model injected to the kernel.
5. The system of claim 1, wherein the AI model is injected to a shared memory between an operating system running on the guest VM and a kernel of the operating system, and the protected AI model is derived from the AI model injected to the shared memory.
6. The system of claim 1, wherein the processor is further arranged to execute: an isolated execution environment, arranged to verify a signature of the protected AI model, to ensure safety of the protected AI model before the computations are performed on the protected AI model by a direct memory access (DMA) circuit.
7. The system of claim 6, wherein the hypervisor is further arranged to set a no-read/write mode of the protected AI model by managing and configuring the safety protection component according to the safety setting command.
8. The system of claim 1, wherein the at least one command comprises a first command for AI model protection and a second command for AI model verification, and the primary VM further comprises: a verifier, arranged to verify a signature of the protected AI model according to the second command, to ensure safety of the protected AI model before the computations are performed on the protected AI model by a direct memory access (DMA) circuit.
9. The system of claim 1, wherein the AI model is a crypted AI model, and the processor is further arranged to execute: an isolated execution environment, arranged to perform decryption on the crypted AI model to generate the protected AI model.
10. The system of claim 1, wherein the AI model is a crypted AI model, the at least one command comprises a first command for AI model protection and a second command for AI model decryption, and the primary VM is further arranged to perform decryption on the crypted AI model according to the second command, to generate the protected AI model.
11. The system of claim 1, wherein the safety protection component comprises a memory management unit (MMU) or a memory protection unit (MPU).
12. A non-transitory machine-readable medium for storing a program code, wherein when loaded and executed by a processor, the program code instructs the processor to execute: a guest virtual machine (VM), wherein the guest VM comprises an artificial intelligence (AI) model, and the guest VM is arranged to send at least one command to a command hub; a primary VM, wherein the primary VM is arranged to receive the at least one command sent from the command hub, and refer to the at least one command to manage and configure a protection setting for a protected AI model that is derived from the AI model; and a hypervisor, arranged to receive a safety setting command sent by the primary VM, and manage and configure a safety protection component according to the safety setting command, to set a read-only mode of the protected AI model; wherein the primary VM is bound to the hypervisor when communications between the primary VM and the hypervisor is performed.
13. The non-transitory machine-readable medium of claim 12, wherein the program code further instructs the processor to execute the command hub that is a software module integrated in the hypervisor.
14. The non-transitory machine-readable medium of claim 12, wherein the command hub is implemented by a hardware component.
15. The non-transitory machine-readable medium of claim 12, wherein the AI model is injected to a kernel of an operating system running on the guest VM, and the protected AI model is derived from the AI model injected to the kernel.
16. The non-transitory machine-readable medium for of claim 12, wherein the AI model is injected to a shared memory between an operating system running on the guest VM and a kernel of the operating system, and the protected AI model is derived from the AI model injected to the shared memory.
17. The non-transitory machine-readable medium for storing a program code of claim 12, wherein the program code further instructs the processor to execute an isolated execution environment, and the isolated execution environment is arranged to verify a signature of the protected AI model, to ensure safety of the protected AI model before the computations are performed on the protected AI model.
18. The non-transitory machine-readable medium of claim 17, wherein the hypervisor is further arranged to set a no-read/write mode of the protected AI model by managing and configuring the safety protection component according to the safety setting command.
19. The non-transitory machine-readable medium of claim 12, wherein the AI model is a crypted AI model, the program code further instructs the processor to execute an isolated execution environment, and the isolated execution environment is arranged to perform decryption on the crypted AI model to generate the protected AI model.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
June 15, 2022
April 1, 2025
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.